Numerous threat actors were reported by PRODAFT and GreyNoise to be targeting vulnerable JetBrains TeamCity continuous integration and deployment servers impacted by a critical authentication bypass flaw days after the bug was initially disclosed by Sonar security researchers, according to BleepingComputer.
Such a vulnerability, tracked as CVE-2023-42793, has already been weaponized by widely known ransomware operations, said PRODAFT.
"Our BLINDSPOT platform has detected multiple organizations already exploited by threat actors over the last three days. Unfortunately, most of them will have a huge headache in the upcoming weeks," PRODAFT added.
Moreover, internet-facing TeamCity instances have been subjected to attacks from at least 56 IP addresses, according to GreyNoise, which previously urged patching of vulnerable TeamCity systems before Sept. 29 to prevent compromise. However, data from the Shadowserver Foundation revealed that 1,240 servers continue to be susceptible to attacks by Oct. 1.
Cloud environments are being compromised by APT29 not only through previously breached access service account credentials but also via old employee accounts that were not disconnected by organizations.